Blog: Focus On Regulation | 29 November 2013
On November 18, 2013, the Department of Defense (DoD) published a Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address requirements for safeguarding unclassified controlled technical information.[1] This rule has been in development for over two years with DoD originally publishing a rule-making Notice on March 3, 2010,[2] and a Proposed Rule on June 29, 2011.[3] The Proposed Rule would have created two categories of security protections: “Basic” and “Enhanced.” We summarized the Proposed Rule in a Client Alert in July 2011 here. After receiving extensive industry comments, DoD amended the Proposed Rule to limit the categories of covered information and require only one level of security protection. However, there are still some uncertainties in the Final Rule, such as the lack of a safe harbor for contractors that adopt stringent security measures.
DoD issued a statement on November 19 stating that the Final Rule is “one of many significant follow-on actions to Secretary Hagel’s Oct. 10 memo directing actions to protect DoD unclassified controlled technical information from cyber intrusions and minimize the consequences associated with loss of this information.” Hagel’s October memorandum explained that such data was of increasing concern to the Pentagon because it could give adversaries “extraordinary insight into the United States' defense and industrial capabilities” and allow them to more quickly develop similar capabilities of their own.
Development of the Rule
The 2010 Notice proposed changes to the DFARS that would require contractors and subcontractors to provide “adequate security” to safeguard “DoD information” on their unclassified information systems from unauthorized access and disclosure. The notice created two levels of security for DoD information:
Basic: Applies to any DoD information on a contractor's unclassified information systems.
Enhanced: Applies to DoD information on a contractor's unclassified information systems that is: (1) designated as Critical Program Information; (2) subject to ITAR and EAR regulations; (3) designated for withholding from public release under DoD FOIA; (4) bears current or prior designations indicating controlled access and dissemination (e.g.,For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (5) technical data, computer software, and any other technical information covered by DoD Directive 5230.24 (Distribution Statements on Technical Documents) and DoD Directive 5230.25 (Withholding of Unclassified Technical Data from Public Disclosure); or (6) personally identifiable information.[4]
DoD published the Proposed Rule in June 2011. The Proposed Rule would have amended Parts 204 and 252 of the DFARS by adding subpart 204.74 Safeguarding Unclassified DOD Information, section 252.204-70XX Basic Safeguarding of Unclassified DOD Information, and section 252.204-70YY Enhanced Safeguarding of Unclassified DOD Information. Subpart 204.74 would require certain security measures to be included in all Government contracts and solicitations involving unclassified nonpublic Government information, regardless of the size and scope of the contract. The Proposed Rule contained “Basic” security guidelines, as well as “Enhanced” protections for the types of more sensitive Government information described above. The Proposed Rule also required reporting on certain cyber intrusion events that affect DoD information resident on or transiting through contractor unclassified information systems.
Changes from the 2011 Proposed Rule
After receiving 49 comments on the Proposed Rule, DoD has significantly reduced the categories of information covered. The Final Rule only applies to the safeguarding of “unclassified controlled technical information” a term that includes technical data, computer software, and any other technical information covered by DoD Directive 5230.24 Distribution Statements on Technical Documents and DoD Directive 5230.25 Withholding of Unclassified Technical Data from Public Disclosure. Moreover, the onus is on DoD to ensure that such information is properly marked with a distribution statement per DoD Instruction 5230.24.[5]
In addition, the following significant changes were made to the Final Rule:
Related Proposed FAR Rule on “Basic” Safeguarding
A Proposed Rule published August 24, 2012, (the “FAR Proposed Rule”) as FAR Case 2011-020,[9] would add a new FAR Subpart 4.17 and associated contract clause requiring “basic safeguarding” for contractor information systems where information provided by or generated for the Government will reside on or transit through those systems. The FAR Proposed Rule defines “basic protection measures” as “first-level information technology security measures used to deter unauthorized disclosure, loss, or compromise.”[10] The FAR Proposed Rule would impose the safeguarding requirements through a new contract clause, FAR 52.204-XX, Basic Safeguarding of Contractor Information Systems, prescribed for all solicitations and contracts above the simplified acquisition threshold when the prime contractor or any subcontractor at any tier “may have” information provided by or generated for the Government residing on or transiting through its information systems. [11]
In addition to FAR Case 2011-020, other overlapping examples of federal cybersecurity-related initiatives under development that would apply to DoD contractors include:
Outstanding Concerns
While DoD’s narrowing of the Final Rule has largely been applauded by industry, there are several issues that raise concerns. First, the Final Rule’s definition of “adequate security” provides no objective standard that the contractor can meet.[12] Given the evolving nature of cybersecurity threats, new security technology and processes are constantly being developed. Contractors will always examine the trade-off between the potential losses from cyber events and the significant costs of adding security measures. Cybersecurity incidents are often difficult to prevent, even if a contractor maintains a high standard of security. Yet the Government has declined to adopt a “safe harbor” for contractors that adhere to high standards of security. Specifically, DFARS 204.7302(b)(2) states that ‘‘A cyber incident that is properly reported by the contractor shall not, by itself, be interpreted under this clause as evidence that the contractor has failed to provide adequate information safeguards . . .’’ The Federal Register notice states that the Government does not intend to provide any safe harbor assurances.[13] Second, a subcontractor could find themselves subject to both the “Basic” safeguarding (FAR Proposed Rule) and DoD’s “Enhanced” safeguarding (Final Rule). Many subcontractors perform work for more than one prime contractor, making it possible that a subcontractor will face different security standard requirements as well as conflicting interpretations of those requirements. It is also unclear how these rules interact regarding whether a party has any affirmative responsibility for reviewing or approving a subcontractor’s level of security. For example, the Final Rule “requires that prime contractors report when unclassified controlled technical information has potentially been compromised regardless of whether the incident occurred on a prime contractor’s information system or on a subcontractor’s information system.”[14] Finally, and perhaps most importantly, while the type of information covered by the security requirements was narrowed, DoD expanded the application of the requirements by making clear that an internet service provider or cloud service provider would be considered a subcontractor under this rule. Specifically, the preamble states that “[a]n Internet Service Provider (ISP) or cloud service provider constitutes a subcontractor in this context. The contractor is responsible for ensuring that the subcontractor complies with the requirements of this rule within the scope of this rule.”[15] Michael J. Scheimer, an Associate in Hogan Lovells' Government Contracts Practice, contributed to this post.
